Thought Leadership

Blockchain Information Security and Privacy

Blockchain technology and its derivative uses, such as Bitcoin and smart contracts, have made many attention-grabbing headlines over the past couple years. As the uses (both real and theoretical) and public awareness of blockchain continue to proliferate, we continue to encounter tension between this technology and existing paradigms. For example, securities regulators and tax authorities have struggled to articulate how cryptocurrency transactions ought to be characterized and treated within existing frameworks. The same paradigm-breaking reckoning with blockchain may soon come to the world of data privacy and information security as both privacy regulations and blockchain technology continue to evolve.

First, what exactly is blockchain technology? In the simplest terms, a blockchain network is a distributed ledger (i.e. decentralized database) with lots of bells and whistles. Being distributed / decentralized means that data does not live in one single place and there is no single owner or administrator of data; instead, data is replicated and synchronized across multiple locations across the network. Instead of an automated clearing house (ACH) for electronic transfers, there is Bitcoin, where a transaction is validated by checking its parameters against records dispersed across the Bitcoin network; instead of an escrow agent, there are smart contracts, where transactions can be automatically executed upon the occurrence of certain conditions. Among the bells and whistles that come with blockchain technology, one important feature is that records on a distributed ledger are immutable – for certain technical reasons that are beyond the scope of this article, records effectively cannot be modified.

The features of blockchain technology make it a great choice for data security. One of the fundamental principles in data security is the “C-I-A” triad, which stands for confidentiality, integrity, and availability. Blockchain technology can help with all three. It can improve the confidentiality of data and transactions because cryptography (i.e. encryption) is central to the blockchain. A smart contract or other blockchain-based application could, for example, allow the conditions and parameters of a transaction to be verified and executed without revealing the underlying substantive data. Blockchain can also improve data integrity because records are immutable and cannot be modified once they are on the blockchain – not even by the original creator of the record. Finally, blockchain can improve data availability because records are distributed and decentralized. The failure of any one location that holds a copy of the data would not compromise the ability to access that data – i.e. there is no single point of failure.

Many people may mistake security for privacy, but the design features of a blockchain network that make it such a useful tool for data security actually make it problematic for privacy. This becomes evident after considering how any blockchain application can comply with the requirements of the European Union’s General Data Protection Regulation (the “GDPR”) and the California Consumer Privacy Act of 2018 (the “CCPA”). The GDPR, which became effective on May 25, 2018, and the CCPA, which does not become effective until January 1, 2020, guaranty that individuals retain a certain amount of control over their personal data and personal information, but blockchain applications are intended to prevent individuals from changing the information contained within their digital ledgers.

For example, Article 16 of the GDPR, which governs an individual’s right to rectification, is difficult to enforce in a blockchain network. It grants to each data subject, i.e., an identified or identifiable natural person, the right to obtain the rectification of his or her personal data retained by a controller, i.e., the person or entity that makes decisions about processing a data subject’s personal data. However, in a de-centralized blockchain network, like bitcoin and other cryptocurrencies, there is not necessarily a clearly identified controller for a data subject to contact to enforce this right.

Problems exist in other sections of the GDPR, as well. Article 17 grants data subjects the right to be forgotten, or, in other words, to right to require that a controller delete all of a data subject’s personal data. In the blockchain context that would likely mean deleting the block in the chain containing the data subject’s data, but that is not necessarily possible when no block in the chain can be deleted. Article 18 grants data subjects the right to place restrictions on the processing of their personal data, but that could limit the functionality of the entire blockchain. For example, a blockchain application that awards tokens, which can be used for retail discounts, based on the data about each person in the chain may not function the way it is intended if some of the individuals in the chain exercise their rights under the GDPR.

The CCPA could pose similar problems when it goes into effect. Under the new California Civil Code Section 1798.120(a), a consumer has the right to instruct a business not to sell its personal information to a third party. That is fairly easy when that information exists as an entry in a database. However, a business that tries to sell a blockchain network will have a harder time removing individual blocks from each chain.

The difficulties posed by the GDPR and CCPA are not necessarily insurmountable, and in fact, some of the limitations in those laws may create useful exceptions for blockchain applications. But if you represent clients that use, or are considering the use of, blockchain technology, they should be aware of the requirements that new and pending privacy laws place on them. Clients that know and address those requirements as they build their blockchain networks, or incorporate blockchain into their business operations, will be able to take advantage of blockchain’s data security features without stumbling on its privacy issues.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.